AWS SSO is vulnerable by design to device code authentication phishing, providing a powerful phishing vector for attackers.